Award-winning news, views, and insight from the ESET security community

Stratfor hack – lessons learned

Recently we noted that unencrypted credit card storage was on the rise in 2011, and also highlighted the expense involved to the company in the event of a credit card breach. Now we see personal data – including unencrypted credit card information – being paraded out as a part of the recent Stratfor hack. Also,

Recently we noted that unencrypted credit card storage was on the rise in 2011, and also highlighted the expense involved to the company in the event of a credit card breach. Now we see personal data – including unencrypted credit card information – being paraded out as a part of the recent Stratfor hack. Also,

Also, we note the hackers say they used a dictionary attack to crack the passwords that were leaked. One of the leaked passwords was – you guessed it – “password”, and another only slightly more complex “Password1”, trivial for dictionary-based attacks to crack.

Now Stratfor has begun the long slow process of rebuilding trust. It has tapped CSID for help, an indentity protection firm, which has offered 12 months of free identity protection for those affected. Free to the affected users, not free to Stratfor. Breach costs can rise fast and reach lofty heights quickly. Also, the upfront costs of the immediate remediation are only part of the equation, with customer confidence and bad publicity lingering for months or years after the events. Organizations that respond quickly and proactively tend to do better at restoring confidence, but it still takes its toll.

Since Stratfor was involved in the intelligence community, it may also serve as a reminder for those in trusted sectors to run through a year-end check to make sure the basics are in place. It might be a good time to revisit the password complexity and update frequency policy. Also, taking time to encrypt your credit card data seems like good insurance. Both of these are far cheaper and less embarrassing than being paraded about as the latest victim of a breach, and won’t impact next year’s budget much at all. But they will impact your peace of mind, knowing the protections are in place. It would certainly be a good way to start the new year.